Title: Vulnerability Scanning vs Pen Testing
Post by: vadnaisk on January 04, 2011, 12:42:24 PM
New to the boards, and fairly new into the field itself. I've been involved in IT for the last 10 years. The first 8 were R & D activities at fortune 500 company, and the last two have been at the University where I graduated so very, very, very... long ago.
We're in the process of launching a vulnerability scanning program in our institution but are seeing a lot of resistance from various departments concerned with us taking down systems, or having access to things they're not comfortable with.
Using a commercial scanning product, what are people's opinions about the value of scanning systems, and whether or not it help harden the defenses of an institution against actual pen testing.
I'm really interested in any studies or statistics that support/despise vulnerability scanning and how it fits in with an overall security strategy.
As for particular groups, has anyone had experience in selling this type of program to people that operate mostly appliance type systems (switches, hubs, printers, etc) rather than actual servers and workstations. I think the approach may have to be a little different for those kinds of individuals. It may be that they have a point about the ROI, but I'm not sold on their stance quite yet.
Thanks in advance for any advice you can give.
Title: Re: Vulnerability Scanning vs Pen Testing
Post by: chrisj on January 04, 2011, 01:32:36 PM
You're in a tough spot. Be able to talk to them on their level, hardware and software wise, and point out what benefits the scan would bring.
Being my company's network engineer (and security wonk), I'd be very leery of any outsider that comes up to the group and says I'm here to do a scan, or look what my scan found.
If it was me you were trying to convince:
1) I'd want to have it pointed out who in the upper echelons said we had to have it, who signed off on it etc. But don't browbeat me with it.
Sell it to me as the uppers wanting a clear stance on our posture so they can make decisions to improve things. (While not trying to make me or my team look bad). As long as those decisions don't lead to the jobs being outsourced.
2) I already know I have systems out of date, so what. They haven't been popped yet, and you're here to give me more work to do. I also know I have someone in marketing with root access on the web server. I was told to do that...
But if you tell me it can be used to find the problems that need to be patched or fixed soonest, and / or change policy and make sure it's enforced, I'd be interested.
3) you're going to cost the department money, IT is usually seen as a cost center. I know I have outdated systems and running an OS that's 10 years old, and hasn't been patched in at least 4 years. But we can't afford newer or have other people telling me what little budget we have has to be spent on integrating wireless for people to play with their IPADS because the course material is coming from a company in that format.
What you need to do is show how you can leverage the scan to help get a larger budget, better equipment, and training for the team.
Basically you have to hack the IT staff at this point. Not their systems but the way they think. To you it's a Vulnerability scan, to them it's going to show how the department is incompetent. To you, its about improving the system, to them it's about giving the school a reason to replace them.
Schedule a morning meeting and bring food (bagels, coffee, etc). Ask them their input from go, and try to be friendly towards them. Just don't stab them in the back.
Oh and as for the concerns of taking things down, at that morning breakfast meeting, bring a test network (that needs patching) and demonstrate Nessus to them.
Sorry I couldn't be more help, and yes, I injected a little in there (and no, my network and systems aren't quite that bad, marking root access on a web server, I'd quit before it got to that point). :)